| *** mhen_ is now known as mhen | 02:24 | |
| LarsErikP | Hi!I just wondered if there is any news on supporting the YubiHSM2? https://review.opendev.org/c/openstack/barbican/+/900107 | 11:24 |
|---|---|---|
| carloss | o/ hello folks. I was asked a question from a maintainer that is working on the integration of Barbican with Manila and I am unsure what would be the best solution for their question. They are following this guide: https://docs.openstack.org/barbican/latest/configuration/keystone.html | 18:59 |
| carloss | in the ``[keystone_authtoken]`` section, a project name should be provided: `project_name = {YOUR_KEYSTONE_PROJECT}` | 19:01 |
| * carloss is sorry for the bad formatting of the message 🙃 | 19:01 | |
| carloss | the issue is: they would need to have both Manila and Cinder consuming barbican | 19:01 |
| carloss | so is there a way they can easily configure both projects? | 19:02 |
| carloss | and set the project name and the credentials? | 19:02 |
| dmendiza[m] | Hi carloss ! | 19:22 |
| dmendiza[m] | carloss I don't quite understand what you're trying to do. The link you posted is for configuring a Barbican deployment to enforce RBAC using Keystone as the source of truth. | 19:23 |
| dmendiza[m] | For this to work, a Keystone user must be created that will be used by the Barbican service to validate tokens presented by users | 19:24 |
| dmendiza[m] | By convention, in Keystone you would create a user called "barbican" and assign the "service" role on the "service" project. | 19:24 |
| dmendiza[m] | the [keystone_authtoken] section in barbican.conf can be used to provide the credentials for this user, so that when Barbican is run, it reads the credentials there and uses those to get a service token. It then sends the service token along with the user's token to Keystone to validate the authenticity of the user token. | 19:27 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!